Strategies to Secure Critical Infrastructure

Critical infrastructure - energy, defense and transportation among the components - form the backbone of a nation's economy, security and health. Hence, it is imperative to secure critical infrastructure elements, such as power grids, communication and finance.

A persistent cyberattack on critical infrastructure could play havoc. The challenge, then, is to find new ways to mitigate risks emerging from rising threats to critical infrastructure.

"The critical infrastructure and information is the responsibility of the board, and hence the board has to work toward protecting and securing the same against threats," says Sachin Burman, director at India's National Critical Information Infrastructure Protection Centre.

This discussion emerged during the recent Cyber 360 event in Bangalore.

Critical Infrastructure Protection Challenges

Many experts argue that little has been done to secure critical infrastructure, mainly because of lack of skills, proper communication and awareness.

Critics say that this is also why boards do not take ownership of the critical infrastructure and its protection, or hold security teams accountable for any untoward incidents.

U.S.-based Melissa Hathaway, a senior fellow at Potomac Institute for Policy who runs the cybersecurity consultancy Hathaway Global Strategies, sees the need to tie cybersecurity to the economic strength and stability of the nation.

"The most critical challenge for every region or nation is defining what critical infrastructure is, which needs to be protected [at] any cost," she says. "In addition, while in many ways organisations have created a glass house believing it to be secure, in most cases it is not resilient enough to protect against threats."

As the Modi government is encouraging digital India, Hathaway says, every sector is embracing the technological environment, and there is a need to ensure it has minimal exposure to threats.

Reddy endorses the view, noting: "Cybersecurity is not associated with government alone. Every corporation and person is responsible for protecting critical infrastructure and information as it involves public safety."

The question is: Who is accountable, and how and where should risk management strategies be prioritised?

NCIIPC's Burman says that although government organisations have been taking measures to protect the country's infrastructure, they have not been successful in reaching out to people. "A lot of action needs to be taken on a war-footing to ensure that critical infrastructure is protected against threats, besides bringing about changes in the process," he says.

The challenge, he points out, is that no enterprise, be it in the government or the private sector, is in a good position to identify what information is critical.

Strategies to Secure the Infrastructure

There is no 'one-size-fits-all' concept when it comes to protecting critical infrastructure. This 360-degree approach recommends looking into many aspects of overhauling security procedures as threats become more sophisticated in nature.

For instance, Reddy believes a systematic approach needs to be taken to list the priorities of a risk mitigation plan. She says there are five pertinent aspects that need to be addressed to ensure infrastructure protection:

Identify what critical information is and the infrastructure that is going to impact citizens;

Find out the kind of techniques that need to be applied to protect these;

Indentify global security guidelines to adopt while protecting telecommunication and cyber networks, which, if damaged, could cause physical disruption of other sectors, such as energy and power;

Remove glasshouse infrastructure and encourage bilateral agreements with universities and corporate and international groups to roll out cybersecurity courses and technology transfer.

Burman says one must assume that the criticality of operations of any enterprise will determine the criticality of the underlying architecture. He suggests practitioners adopt a simple way to tackle critical infrastructure challenges. "Approach the issue with a business continuity and disaster recovery perspective; it needs to be viewed from a macro and micro level," he says.

"While the board decides what is critical to them and what needs to be protected against threats, the security head will work on the framework to decide how to protect and create necessary architecture," Burman adds. "Cybersecurity is not restricted to security teams alone. It encompasses overall posture of information assurance which affects every department. Protecting organisational critical infrastructure is a collaborative effort."

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.